Python yara.compile() Examples

The following are 30 code examples for showing how to use yara.compile(). These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example.

You may check out the related API usage on the sidebar.

You may also want to check out all available functions/classes of the module yara , or try the search function .

Example 1
Project: unipacker   Author: unipacker   File: shell.py    License: GNU General Public License v2.0 7 votes vote down vote up
def do_yara(self, args):
        """Run YARA rules against the sample

Usage:          yara [<rules_path>]

If no rules file is specified, the default 'malwrsig.yar' is being used.
Those rules are then compiled and checked against the memory dump of the current emulator state (see 'dump' for further
details on this representation)"""
        if not args:
            if not self.rules:
                try:
                    self.rules = yara.compile(filepath=f"{os.path.dirname(unipacker.__file__)}/malwrsig.yar")
                    print("Default rules file used: malwrsig.yar")
                except:
                    print(f"{Fore.LIGHTRED_EX}Error: malwrsig.yar not found!{Fore.RESET}")
        else:
            self.rules = yara.compile(filepath=args)
        self.sample.unpacker.dump(self.engine.uc, self.engine.apicall_handler, self.sample)
        matches = self.rules.match("unpacked.exe")
        print(", ".join(map(str, matches))) 
Example 2
Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 6 votes vote down vote up
def dotnet_resource_names(self):
        """
        Read .NET Resources and return a list of resource names
        :return: list
        """
        try:
            rules = yara.compile(source='import "dotnet" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara DotNet did you enable it?")
        resource_list = []

        def modules_callback(data):
            for i, resource in enumerate(data.get('resources', [])):
                resource_list.append(resource['name'])
            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)
        return resource_list 
Example 3
Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 6 votes vote down vote up
def dotnet_resource_by_name(self, resource_name):
        """
        Extract a .NET Resource by name
        :param resource_name:
        :return:
        """
        try:
            rules = yara.compile(source='import "dotnet" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara DotNet did you enable it?")

        def modules_callback(data):
            for i, resource in enumerate(data.get('resources', [])):
                if resource['name'] == resource_name:
                    offset = resource['offset']
                    length = resource['length']
                    self.res_data = self.file_data[offset:offset + length]


            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)
        return self.res_data 
Example 4
Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 6 votes vote down vote up
def elf_list_sections(self):
        """
        Read a list of sections from an elf binary
        :return: list of section names
        """
        try:
            rules = yara.compile(source='import "elf" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara ELF did you enable it?")
        section_names = []

        def modules_callback(data):
            for i, section in enumerate(data.get('sections', [])):
                section_names.append(section['name'].decode('utf-8'))
            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)

        return section_names 
Example 5
Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 6 votes vote down vote up
def elf_section_by_name(self, resource_name):
        """
        Extract an elf section by name
        :param resource_name:
        :return:
        """
        try:
            rules = yara.compile(source='import "elf" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara ELF did you enable it?")

        def modules_callback(data):
            for i, section in enumerate(data.get('sections', [])):
                if section['name'].decode('utf-8') == resource_name:
                    offset = section['offset']
                    length = section['size']
                    self.res_data = self.file_data[offset:offset + length]
            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)
        return self.res_data 
Example 6
Project: rekall   Author: google   File: yarascanner.py    License: GNU General Public License v2.0 6 votes vote down vote up
def __init__(self, *args, **kwargs):
        """Scan using yara signatures."""
        super(YaraScanMixin, self).__init__(*args, **kwargs)

        # Compile the yara rules in advance.
        if self.plugin_args.yara_expression:
            self.rules_source = self.plugin_args.yara_expression
            self.rules = yara.compile(source=self.rules_source)

        elif self.plugin_args.binary_string:
            self.compile_rule(
                'rule r1 {strings: $a = {%s} condition: $a}' %
                self.plugin_args.binary_string)

        elif self.plugin_args.string:
            self.compile_rule(
                'rule r1 {strings: $a = "%s" condition: $a}' %
                self.plugin_args.string)

        elif self.plugin_args.yara_file:
            self.compile_rule(open(self.plugin_args.yara_file).read())

        elif not self.ignore_required:
            raise plugin.PluginError("You must specify a yara rule file or "
                                     "string to match.") 
Example 7
Project: aumfor   Author: virtualrealitysystems   File: linux_truecrypt.py    License: GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)
        tasks = linux_pslist.linux_pslist.calculate(self)

        for task in tasks:
            if str(task.comm) != "truecrypt":
                continue

            space = task.get_process_address_space()
            if not space:
                continue
    
            rules = yara.compile(sources = {
               'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
               })

            scanner = PassphraseScanner(task = task, rules = rules)
            for address, password in scanner.scan():
                yield task, address, password 
Example 8
Project: aumfor   Author: virtualrealitysystems   File: poisonivy.py    License: GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):

        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
        
        rules = yara.compile(sources = signatures)

        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = malfind.VadYaraScanner(task = task, rules = rules)

            for hit, address in scanner.scan():
                vad_base_addr = self.get_vad_base(task, address)
                if address - vad_base_addr > 0x1000:
                    continue

                yield task, vad_base_addr 
Example 9
Project: ACE   Author: IntegralDefense   File: pdf-parser.py    License: Apache License 2.0 6 votes vote down vote up
def YARACompile(ruledata):
    if ruledata.startswith('#'):
        if ruledata.startswith('#h#'):
            rule = binascii.a2b_hex(ruledata[3:])
        elif ruledata.startswith('#b#'):
            rule = binascii.a2b_base64(ruledata[3:])
        elif ruledata.startswith('#s#'):
            rule = 'rule string {strings: $a = "%s" ascii wide nocase condition: $a}' % ruledata[3:]
        elif ruledata.startswith('#q#'):
            rule = ruledata[3:].replace("'", '"')
        else:
            rule = ruledata[1:]
        return yara.compile(source=rule)
    else:
        dFilepaths = {}
        if os.path.isdir(ruledata):
            for root, dirs, files in os.walk(ruledata):
                for file in files:
                    filename = os.path.join(root, file)
                    dFilepaths[filename] = filename
        else:
            for filename in ProcessAt(ruledata):
                dFilepaths[filename] = filename
        return yara.compile(filepaths=dFilepaths) 
Example 10
Project: idawilli   Author: williballenthin   File: yara_fn.py    License: Apache License 2.0 6 votes vote down vote up
def test_yara_rule(rule):
    '''
    try to match the given rule against each segment in the current exectuable.
    raise TestDidntRunError if its not possible to import the YARA library.
    return True if there's at least one match, False otherwise.
    '''
    try:
        import yara
    except ImportError:
        logger.warning("can't test rule: failed to import python-yara")
        raise TestDidntRunError('python-yara not available')

    r = yara.compile(source=rule)

    for segment in get_segments():
        matches = r.match(data=segment.buf)
        if len(matches) > 0:
            logger.info('generated rule matches section: {segment.name}')
            return True
    return False 
Example 11
Project: Python-Digital-Forensics-Cookbook   Author: PacktPublishing   File: yara_scanner.py    License: MIT License 6 votes vote down vote up
def main(yara_rules, path_to_scan, output):
    if os.path.isdir(yara_rules):
        yrules = yara.compile(yara_rules)
    else:
        yrules = yara.compile(filepath=yara_rules)

    if os.path.isdir(path_to_scan):
        match_info = process_directory(yrules, path_to_scan)
    else:
        match_info = process_file(yrules, path_to_scan)

    columns = ['rule_name', 'hit_value', 'hit_offset', 'file_name',
               'rule_string', 'rule_tag']

    if output is None:
        write_stdout(columns, match_info)
    else:
        write_csv(output, columns, match_info) 
Example 12
Project: ida_haru   Author: TakahiroHaruyama   File: yara_fn.py    License: Apache License 2.0 6 votes vote down vote up
def test_yara_rule(rule):
    '''
    try to match the given rule against each segment in the current exectuable.
    raise TestDidntRunError if its not possible to import the YARA library.
    return True if there's at least one match, False otherwise.
    '''
    try:
        import yara
    except ImportError:
        logger.warning("can't test rule: failed to import python-yara")
        raise TestDidntRunError('python-yara not available')

    r = yara.compile(source=rule)

    for segment in get_segments():
        if segment.buf is not None:
            matches = r.match(data=segment.buf)
            if len(matches) > 0:
                logger.info('generated rule matches section: {:s}'.format(segment.name))
                return True
    return False 
Example 13
Project: CIRTKit   Author: opensourcesec   File: rat.py    License: MIT License 6 votes vote down vote up
def auto(self):
        if not HAVE_YARA:
            self.log('error', "Missing dependency, install yara (see http://plusvic.github.io/yara/)")
            return

        if not __sessions__.is_set():
            self.log('error', "No session opened")
            return

        rules = yara.compile(os.path.join(CIRTKIT_ROOT, 'data/yara/rats.yara'))
        for match in rules.match(__sessions__.current.file.path):
            if 'family' in match.meta:
                self.log('info', "Automatically detected supported RAT {0}".format(match.rule))
                self.get_config(match.meta['family'])
                return

        self.log('info', "No known RAT detected") 
Example 14
Project: SSMA   Author: secrary   File: check.py    License: GNU General Public License v3.0 6 votes vote down vote up
def is_malware(filename):
    if not os.path.exists("rules_compiled/malware"):
        os.mkdir("rules_compiled/malware")
    for n in os.listdir("rules/malware/"):
        if not os.path.isdir("./" + n):
            try:
                rule = yara.compile("rules/malware/" + n)
                rule.save("rules_compiled/malware/" + n)
                rule = yara.load("rules_compiled/malware/" + n)
                m = rule.match(filename)
                if m:
                    return m
            except:
                pass  # internal fatal error or warning
        else:
            pass


# Added by Yang 
Example 15
Project: omnibus   Author: InQuest   File: yara.py    License: MIT License 6 votes vote down vote up
def run(self):
        results = {'matches': {}}

        all_rules = list_dir(self.rules)

        for r in all_rules:
            rule = yara.compile(r)
            matches = rule.match(data=open(self.artifact['path'], 'rb').read())

            for m in matches:
                if m.rule not in results['matches'].keys():
                    results['matches'][m.rule] = []
                for tag in m.tags:
                    if tag not in results['matches'][m.rule]:
                        results['matches'][m.rule].append(tag)

        self.artifact['data']['yara'] = results 
Example 16
Project: Cortex-Analyzers   Author: TheHive-Project   File: yara_analyzer.py    License: GNU Affero General Public License v3.0 6 votes vote down vote up
def __init__(self):
        Analyzer.__init__(self)

        self.rulepaths = self.get_param('config.rules', None, 'No paths for rules provided.')
        if isinstance(self.rulepaths, str):
            self.rulepaths = [self.rulepaths]

        self.ruleset = []
        for rulepath in self.rulepaths:
            if os.path.isfile(rulepath):
                if rulepath[len(rulepath)-3:] == 'yar':
                    self.ruleset.append(yara.compile(rulepath))
                elif rulepath[len(rulepath)-3:] == 'yas':
                    self.ruleset.append(yara.load(rulepath))
            elif os.path.isdir(rulepath):
                if os.path.isfile(rulepath + '/index.yas'):
                    self.ruleset.append(yara.load(rulepath + '/index.yas'))
                elif os.path.isfile(rulepath + '/index.yar'):
                    self.ruleset.append(yara.compile(rulepath + '/index.yar')) 
Example 17
Project: volatility   Author: volatilityfoundation   File: linux_truecrypt.py    License: GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)
        tasks = linux_pslist.linux_pslist.calculate(self)

        for task in tasks:
            if str(task.comm) != "truecrypt":
                continue

            space = task.get_process_address_space()
            if not space:
                continue
    
            rules = yara.compile(sources = {
               'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
               })

            scanner = PassphraseScanner(task = task, rules = rules)
            for address, password in scanner.scan():
                yield task, address, password 
Example 18
Project: vortessence   Author: vortessence   File: linux_truecrypt.py    License: GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)
        tasks = linux_pslist.linux_pslist.calculate(self)

        for task in tasks:
            if str(task.comm) != "truecrypt":
                continue

            space = task.get_process_address_space()
            if not space:
                continue
    
            rules = yara.compile(sources = {
               'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
               })

            scanner = PassphraseScanner(task = task, rules = rules)
            for address, password in scanner.scan():
                yield task, address, password 
Example 19
Project: vortessence   Author: vortessence   File: poisonivy.py    License: GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
        
        rules = yara.compile(sources = signatures)

        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = malfind.VadYaraScanner(task = task, rules = rules)

            for hit, address in scanner.scan():
                vad_base_addr = self.get_vad_base(task, address)
                if address - vad_base_addr > 0x1000:
                    continue

                yield task, vad_base_addr 
Example 20
Project: binaryalert   Author: airbnb   File: compile_rules.py    License: Apache License 2.0 6 votes vote down vote up
def compile_rules(target_path: str) -> None:
    """Compile YARA rules into a single binary rules file.

    Args:
        target_path: Where to save the compiled rules file.
    """
    # Each rule file must be keyed by an identifying "namespace"; in our case the relative path.
    yara_filepaths = {relative_path: os.path.join(RULES_DIR, relative_path)
                      for relative_path in _find_yara_files()}

    # Compile all available YARA rules. Note that external variables are defined but not set;
    # these will be set at runtime by the lambda function during rule matching.
    rules = yara.compile(
        filepaths=yara_filepaths,
        externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
    rules.save(target_path) 
Example 21
Project: binaryalert   Author: airbnb   File: yara_mocks.py    License: Apache License 2.0 6 votes vote down vote up
def save_test_yara_rules(rules_save_file: str, empty_rules_file: bool = False):
    """Save compiled test YARA rules to the filesystem, which should already be mocked.

    Args:
        rules_save_file: Path to rules save file.
        empty_rules_file: If true, writes an empty rules file.
    """
    if empty_rules_file:
        sources = {'empty.yar': ''}
    else:
        sources = {'evil_check.yar': EVIL_STRING_RULE, 'externals.yar': RULES_WITH_VARIABLES}

    # Compile YARA rules and save them as an in-memory binary string.
    rules = yara.compile(
        sources=sources,
        externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
    rule_data = io.BytesIO()
    rules.save(file=rule_data)
    rule_data.seek(0)

    # Save the files to the mock filesysytem.
    with open(rules_save_file, 'wb') as file:
        file.write(rule_data.read()) 
Example 22
Project: DAMM   Author: 504ensicsLabs   File: linux_truecrypt.py    License: GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)
        tasks = linux_pslist.linux_pslist.calculate(self)

        for task in tasks:
            if str(task.comm) != "truecrypt":
                continue

            space = task.get_process_address_space()
            if not space:
                continue
    
            rules = yara.compile(sources = {
               'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
               })

            scanner = PassphraseScanner(task = task, rules = rules)
            for address, password in scanner.scan():
                yield task, address, password 
Example 23
Project: PeekabooAV   Author: scVENUS   File: peekabooyar.py    License: GNU General Public License v3.0 6 votes vote down vote up
def evaluate(self, s):
        rules = yara.compile(
            source='''
            rule peekabooyar
            {
                strings:
                    $peekabooyar1 = "X5O!P%@AP-/_(:)_/-X22x8cz2$PeekabooAV-STD-ANTIVIRUS-TEST-FILE!$H+H*"

                condition:
                    $peekabooyar1
            }'''
        )

        # FIXME: Only user of file_path. Remove?
        with open(s.file_path, 'rb') as sample_file:
            matches = rules.match(data=sample_file.read())

        if matches != []:
            return self.result(Result.bad,
                               "Die Datei beinhaltet Peekabooyar",
                               False)

        return self.result(Result.unknown,
                           "Die Datei beinhaltet kein erkennbares Peekabooyar",
                           True) 
Example 24
Project: RATDecoders   Author: kevthehermit   File: test_yara.py    License: MIT License 5 votes vote down vote up
def test_yara_pe():
    yara.compile(source='import "pe" rule a { condition: false }') 
Example 25
Project: RATDecoders   Author: kevthehermit   File: test_yara.py    License: MIT License 5 votes vote down vote up
def test_yara_dotnet():
    yara.compile(source='import "dotnet" rule a { condition: false }') 
Example 26
Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 5 votes vote down vote up
def pe_resource_id(self, res_id):
        """
        Read resource by its ID. Useful where normal pe file fails. 
        :return: list
        """
        try:
            rules = yara.compile(source='import "pe" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara DotNet did you enable it?")
        resource_list = []

        def modules_callback(data):
            for i, resource in enumerate(data.get('resources', [])):
                if 'id' in resource:
                    if resource['id'] == res_id:
                        offset = resource['offset']
                        length = resource['length']
                        self.res_data = self.file_data[offset:offset + length]
                elif 'name_string' in resource:
                    # Remove null bytes for a better comparison
                    res_name = resource['name_string'].decode('UTF-8').replace('\x00', '')
                    # Check both unicode and plain str versions of name

                    if res_name == res_id or resource['name_string'] == res_id:
                        offset = resource['offset']
                        length = resource['length']
                        self.res_data = self.file_data[offset:offset + length]
            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)
        return self.res_data 
Example 27
Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 5 votes vote down vote up
def dotnet_user_strings(self):
        """
        Parse a list of User Strings from a .NET Binary file
        :return: list of strings
        """
        try:
            rules = yara.compile(source='import "dotnet" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara DotNet did you enable it?")
        user_strings = []

        def modules_callback(data):
            for i, userstring in enumerate(data.get('user_strings', [])):
                # Remove null bytes
                userstring = userstring.replace(b'\x00', b'')

                # Add string to list
                try:
                    user_strings.append(userstring.decode('utf-8'))
                except UnicodeDecodeError:
                    pass

            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)

        return user_strings 
Example 28
Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 5 votes vote down vote up
def ascii_strings(self, min_len=4):
        """
        parse a list of ascii strings from a binary file
        :return:
        """
        string_list = []
        chars = b" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
        regexp = b'[%s]{%d,}' % (chars, min_len)
        pattern = re.compile(regexp)
        for s in pattern.finditer(self.file_data):
            string_list.append(s.group())
        return string_list 
Example 29
Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 5 votes vote down vote up
def unicode_strings(self, min_len=4):
        string_list = []
        chars = r" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
        regexp = b'((?:[%s]\x00){%d,})' % (chars, min_len)
        pattern = re.compile(regexp)
        for s in pattern.finditer(self.file_data):
            string_list.append(s.group()) 
Example 30
Project: RATDecoders   Author: kevthehermit   File: netwire.py    License: MIT License 5 votes vote down vote up
def yara_scan(self, raw_data, rule_name):
        yara_data = []
        yara_rules = yara.compile(source=rule_source)
        matches = yara_rules.match(data=raw_data)
        for match in matches:
            if match.rule == 'opcodes':
                for item in match.strings:
                    if item[1] == rule_name:
                        data = item[2]
                        yara_data.append(data)
        return yara_data